Thursday, May 20, 2010

It's called sudo

Sometimes, I get email spam that is too interesting to delete immediately. Here's one that arrived at my work account, advertising a free "webinar" about a security product:

Organizations can no longer tolerate the security risks posed by intentional, accidental or indirect misuse of privileges. However, organizations need to provide the extended enterprise with necessary privileges within specified guidelines to do their job safely.

You will learn how to securely delegate privileges and authorization without disclosing the root password, including [...]

Maybe I wasn't aware that people didn't know how to do this already, so I'll explain it here. In Unix and Linux systems, this is managed using the "sudo" command.

With sudo, a systems administrator can delegate the ability to run certain commands as though the user were root. (In Unix, root is the administrator of the system.) Only certain commands are allowed, as designated by the real systems administrator. You can even specify which command line options are permitted.

For example, in a corporate environment, a systems administrator often just manages the operating system, and a separate web server administrator is in charge of managing the technical components of a web site. We do this where I work. So root can set up sudo so the web server administrator can start, stop, and restart the "httpd" service. That's all the web server administrator can do - they can't do anything else as root.

Most importantly, sudo allows you to share access to specific users. So users ben and mike can restart a web server, because they're the only people on the web server administrator team - but not users fred or sharon.

The ben user would type this at the "$" command line prompt:

$ sudo service httpd restart

Or maybe the systems administrator set up a single command to restart the web server. In that case, the command might be:

$ sudo web-restart

On my personal Linux system, I never login as root anymore, so I use sudo for those (rare) times that I need to do something "administrative" at the command line. (I don't often work at the command line these days, but sometimes I like to exercise my "sysadmin" background.)

In my case, I configured the sudo command (/etc/sudoers) to allow my general user login to run any command as root, but only if I provide my password. It's easy! You can also set up sudo to not require a password for certain users or for certain commands, but I prefer to require a password - if only to remind me that I'm about to become the root user.

For when you're working in the GUI, Linux uses PolicyKit to do something similar. That's why you can change the date and time on a Linux desktop without having to login as root.

Note that Windows has something similar to sudo, called runas ("Run As"). In Windows Vista and Windows 7, this is User Account Control, or "UAC". But runas (or UAC) is actually less secure than sudo. When you want to run an "administrative" command using runas, you will be prompted to provide the password for Administrator. So to delegate authority and privilege to your users, everyone needs to have shared access to the Administrator password.

5 comments:

My understanding of runas is that it can be pretty close to sudo in actual use--it doesn't require a shared admin account, it can use any account. At one project I worked on each of us had a regular user account for email and internet, and an account with elevated privileges that wasn't full admin. We could runas the elevated account. Slightly more cumbersome than sudo, but it worked out about the same.

The Microsoft folks are just too good to waste time learning about that antique UNIX stuff that nobody uses. They're so good at innovating you know. And W7 is the most secure version of Windows yet; no one can hack it!

Unfortunately I will be using Winduhs (XPe) in a prototype instrument; I'm dreading the Flash wear and those startup scripts that require user intervention - things like "the computer didn't seem to have been shut down properly last time; do you want to start in safe mode?"

@Sevesteen: The problem with that is now you've got two accounts for every user, one "adminish" and one "normal". This can lead to both an increase in admin tasks.

The Windows method has one more drawback too: my understanding, and someone can correct me if I'm wrong, is that, when you sudo, the program still runs "as you", just with the permissions of someone else. So if you drop something on your desktop, it actually goes onto your desktop. (That'd be an interesting experiment, but I'm too lazy to conduct it now.) On Windows, if you runas someone, and drop something on the desktop or in My Documents, or go to open something in one of those places, you're looking at the other user's stuff.

There may be file ownership problems as well, even if you get the location right. (Again, would need more experimentation.)

The security thing I could see being a reasonably big deal for organizations, but doesn't matter much for a home user. (How many people actually put the separate people in the house on separate accounts in the first place?) The latter thing arguably matters more for the home user, though it is a relatively small annoyance. (At least after you've seen the problem once or twice and so know what's going on.)

About Me

I've been a Linux user since 1993, and since 2002 I've been fortunate enough to run Linux full-time at work. But, I've been asked to move back to Windows, at least for work. The difference between Windows and Linux has been shocking, to say the least. Since I find it interesting when long-time Windows users experiment with Linux for the first time, I thought it might be equally interesting for this long-time Linux user to blog about my first experience running Windows in over 6 or 7 years.